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DETAILED ACTION 

1 . A request for continued examination under 37 CFR 1.114, including the fee set 

forth in 37 CFR 1 .17(e), was filed in this application after final rejection. Since this 
application is eligible for continued examination under 37 CFR 1.114, and the fee set 
forth in 37 CFR 1 .17(e) has been timely paid, the finality of the previous Office action 
has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 1 1/3/08 
has been entered. New claims 37-38 are added. Claims 1, 3, 5-8, 24-38 are pending. 
Response to Arguments 

2. Applicant's arguments filed November 3, 2008 have been considered but are 
moot in view of the new ground(s) of rejection. 

Claim Rejections - 35 USC § 103 

1 . The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 

obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed 
or described as set forth in section 102 of this title, if the differences between the 
subject matter sought to be patented and the prior art are such that the subject 
matter as a whole would have been obvious at the time the invention was made 
to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was 
made. 

2. Claims 1 , 3, 5-8 and 24-37 are rejected under 35 U.S.C. 1 03(a) as being 
unpatentable over "Security Assertions Markup Language (SAML)", Netegrity, May 20, 
2001 , Pages 1 -7 (hereinafter SAML) in view of Wood et al. (hereinafter Wood) US 
6,892,307 and in view of Mishra et al. ("Security Services Markup Language", January 
8, 2001 (hereinafter Mishra). 
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[Note: "XML Key Management Specification (XKMS)", W3C Note 30, March 2001, 
pages 28-45, is used to further elaborate on the teaching of XML signature and HMAC 
taught by Mishra reference] 
As per claims 1 , 7, 26 and 32: 

SAML teaches a method comprising intercepting at an agent a web service 
customer access to a first web service, the agent residing between the web service 
customer and the first web service and between the web service customer and a 
second web service; (pages 5-6, SAML Overview; Authentication Authority.... A third 
party security service can provide authentication assertions for the end-user. Multiple 
destination web sites can then use the same authentication assertions to authenticate 
the end-user) collecting at the agent one or more credentials of the web service 
customer; (pages 5-6, SAML Overview; End-user submits credentials to Authentication 
Authority... the security service acts as a credentials collector, authentication authority, 
and attribute authority) determining at the agent whether the web service customer is 
authenticated and authorized; (pages 5-6, SAML Overview; Authentication Authority 
asserts user's credentials against user directory ) if the web service customer is 
authenticated and authorized, at the agent: granting the first request; initiating creation 
of a session and a session ticket; obtaining a session ticket ID for the session ticket; 
(page 5, SAML Overview; Authentication Authority generates an Assertion together with 
one or more attribute assertions. End-user is now authenticated and identified by SAML 
assertions assembled in a token... SAML assertions are encoded in common SML 
schema ...unique identifier used for the assertion name, date and time of issuance, and 
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the time interval for which the assertion is valid... authorization and key delegation 
applications) intercepting a second request to grant the web service customer access to 
the second web service, the second request comprising the assertion and a private key; 
(page 5, SAML Overview; the end-user's SAML token can be presented to trusted 
business partners affiliated in a single-sign-on relationship) and if the private key 
matches the public key in the assertion, grant the second request without 
reauthenticating or reauthorizing the web service customer (pages 5-6; Multiple 
destination web sites can use the same authentication assertion ... the security service 
acts as a credential collector, authentication authority, attribute authority and PDP). 

SAML does not explicitly disclose intercepting a second request to grant the web 
service customer access to the second web service; encrypting the session ticket ID 
and a public key into an assertion and matching a private key with the public key in the 
assertion. Wood in analogous art, however, discloses intercepting at the agent a second 
request to grant the web service customer access to the second web service (col. 5, 
lines 19-24; col. 8, lines 23-67). Therefore it would have been obvious to one ordinary 
skill in the art at the time the invention was made to modify the method disclosed by 
SAML with Woods in order to provide a single-sign-on for multiple information 
resources. (Abstract, Wood) 

Both references do not explicitly disclose encrypting the session ticket ID and a 
public key into an assertion and matching a private key with the public key in the 
assertion. Mishra in analogues art, however, discloses encrypting the session ticket ID 
and a public key into an assertion and matching a private key with the public key in the 
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assertion, (page 11,4. Architecture; ...assertions must be signed using the framework 
described in the [XML-SIG] specification... supports both using secret-key (for example, 
HMAC) and public-key signing; page 31 MIME Binding) Therefore, it would have been 
obvious to one ordinary skill in the art at the time invention was made to modify the 
method disclosed by SAML and Wood with Mishra in order to provide security services 
for assertions the may travel across the Internet and be scrutinized and checked for 
validity far from the point of origin, (page 1 1 ; Mishra) 

As per claims 3, 8 and 27: 

The combination of SAML, Wood and Mishra teaches all the subject matter as 
discussed above. In addition, SAML further discloses a method wherein the assertion 
comprises a Security Assertions Markup Language (SAML) assertion, (pages 5-6) 
As per claims 5 and 28: 

The combination of SAML, Wood and Mishra teaches all the subject matter as 
discussed above. In addition, SAML further discloses wherein the agent comprises an 
Extensible Markup Language (XML) agent, (page 6) 
As per claims 6 and 29: 

The combination of SAML, Wood and Mishra teaches all the subject matter as 
discussed above. In addition, SAML further discloses wherein the processor are further 
operable to determine whether the web service customer is authenticated and 
authorized comprises comparing the web service customer with a database containing 
authentication and authorization data, (pages 5-6) 
As per claims 24 and 30: 
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The combination of SAML, Wood and Mishra teaches all the subject matter as 
discussed above. In addition, SAML further discloses wherein the first request and the 
second request both originate at the web service customer; and the method further 
comprising communicating the assertion to the web service customer to enable the web 
service customer to access the second web service without reauthentication or 
reauthorization after the web service customer accesses the first web service, (pages 5- 
6) 

As per claims 25, 31 and 35: 

The combination of SAML, Wood and Mishra teaches all the subject matter as 
discussed above. In addition, SAML further discloses further discloses a method 
wherein the first request originates at the web service customer and the second request 
originates at the first web service; (pages 5-6) and the method further comprising 
communicating the assertion to the first web service to enable the web service customer 
to access the second web service without reauthentication or reauthorization after the 
web service customer accesses the first web service, (pages 5-6) 
As per claim 33: 

The combination of SAML, Wood and Mishra teaches all the subject matter as 
discussed above. In addition, Mishra further discloses a method comprising at the 
agent, placing the assertion into a header; sending the assertion to the first web service; 
returning the assertion to the web service consumer, (page 7, 3 S2ML Use Case 
Senarios; assertions can travel with the user in various ways...http headers) 
As per claim 34: 
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The combination of SAML, Wood and Mishra teaches all the subject matter as 
discussed above. In addition, Mishra further discloses a method wherein the second 
request comprises an XML document containing the assertion; and wherein the web 
service customer has signed the XML document with the private key. (page 11,4. 
Architecture) 

As per claims 36-37 

The combination of SAML, Wood and Mishra teaches all the subject matter as 
discussed above. In addition, Wood further discloses wherein the second request is 
intercepted at the agent before the second web service, (col. 5, lines 19-24; col. 8, lines 
23-67) 

3. Claim 38 is rejected under 35 U.S.C. 103(a) as being unpatentable over "Security 
Assertions Markup Language (SAML)", Netegrity, May 20, 2001, Pages 1-7 (hereinafter 
SAML) in view of Wood et al. (hereinafter Wood) US 6,892,307 and in view of Mishra et 
al. "Security Services Markup Language", January 8, 2001 (hereinafter Mishra) and 
further in view of Moreh et al. (hereinafter Moreh) US 6,959,336. 
As per claim 38: 

The combination of SAML, Wood and Mishra teaches all the subject matter as 
discussed above. None of the references explicitly disclose determining at the agent 
whether the public key matches the private key. Moreh in analogous art, however, 
discloses determining at the agent whether the public key matches the private key. (col. 
8, lines 22-col. 9, line 7) Therefore, it would have been obvious to one ordinary skill in 
the art at the time invention was made to modify the method disclosed by SAML and 
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Wood and Mishra with Moreh in order to provide a system to authenticate the owner of 
the assertion and verify the digital signature of the owner, (col. 8, lines 35-37; Moreh) 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to SHEWAYE GELAGAY whose telephone number is 
(571)272-4219. The examiner can normally be reached on 8:00 am to 5:30 pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Emmanuel Moise can be reached on 571-272-3865. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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